Small milestone in PersonalJournal project - Journal of Omnifarious

Aug. 20th, 2008

05:07 pm - Small milestone in PersonalJournal project

I managed to put together a TurboGears application that allows logging in via OpenID. Well, OK, not completely, but the hard part of setting up the two step process of verifying an OpenID someone enters is done.

This was one of the small hurdles to putting together my PersonalJournal project.

Some parts of this like the oid_store and a few other components should be split out into a general package so other people can make TurboGears programs that support OpenID as a client. I would like to know how to make TurboGears extensions that can be used when you're starting a TurboGears application to add new model classes, like the identity extension. OpenID needs some model classes for the OpenID store.

I also stuck in a framework for putting mini-sessions around certain tasks within a session. This is so that my site will be resistant to cross-site scripting attacks based on POSTing to a random URL. I intend to make most POST URLs include a sub-session identifier as part of the URL or a required part of the data posted.

I also added secret data to the session object in the database. This is because I needed to have an HMAC key. I wanted to hand the client some data and wanted to make sure that when it handed it back to me that it was exactly the data I gave it. So the data includes an HMAC of itself using the secret as a key. I imagine this secret data will be more widely useful in other parts of the system.

A better name than 'PersonalJournal' might be in order. The WSJ appears to have used this in the past (or possibly even currently) for some feature of theirs. I'm actually OK with colliding with that though.